Re: Does snort.conf have conflicting comments?

[Martin Roesch <roesch () sourcefire com>]

The actual problem is that plugin authors have no guidelines as to
argument formatting in their code, so we end up with whatever people
feel comfortable with when they're writing it.  This is a recognized
problem, and we'll properly address it in 2.0...

     -Marty


Phil Wood wrote:
> On Sun, Nov 11, 2001 at 11:19:51AM -0800, Erek Adams wrote:
> > In looking at the current (CVS) snort.conf, I noticed something.
> >
> > Lines 37-42 discuss how to set the HOME_NET variable.  They mention how to
> > place multiple IP's into a list.
> >
> >     37  # You can specify lists of IP addresses for HOME_NET
> >     38  # by separating the IPs with commas like this:
> >     39  #
> >     40  # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> >     41  #
> >     42  # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> >
> > Now, looking down a bit....
> >
> >    227  # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> >    228  # specific networks or hosts to reduce false alerts. It is typical
> >    229  # to see many false alerts from DNS servers so you may want to
> >    230  # add your DNS servers here. You can all multiple hosts/networks
> >    231  # in a whitespace-delimited list.
> >    232  #
> >    233  preprocessor portscan-ignorehosts: $DNS_SERVERS
> >
> > It refers to a 'whitespace delimited list'.
> >
> > Is this right, wrong, or a feature of using a variable in the ignorehosts
> > line?  Or do I just need to get some coffee?  :)
>
> Candy is dandy, but liquor quicker.  It would be nice if ip lists in snort were
> consistant.  They are not.  I been there.  Done that.  Currently, I'm in
> limbo doing other things.  It would be nice to make a pass on the syntax,
> enforce new syntax for plugins, plugouts, and other configuration what's-its.
>
> The reason I'm pick'n on this bone is that I just got my first bug report
> on my "vim" syntax file for snort (it's been released with a new release of
> vim).  So, I jumped into my code and started "fixin" things.  Every damn
> preprocessor and output plugin has a different way of specifying the same
> sets of things: ip lists, port lists, var=value, etc.  I need some "coffee".
>
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw () lanl gov
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users